b'NATIONAL CREDIT UNION ADMINISTRATION\n    OFFICE OF INSPECTOR GENERAL\n\n\n\n                SECURITY OF\n           THE NCUA DATA CENTER\n\n\n             Report # OIG-13-08\n               August 12, 2013\n\n\n\n\n                 James Hagen\n               Inspector General\n\n\n\n\n             W. Marvin Stith, CISA\n               Senior IT Auditor\n\x0c                              Table of Contents\n\n\nSection                                              Page\n\n\n\n          EXECUTIVE SUMMARY                          1\n\n          BACKGROUND                                 2\n\n          OBJECTIVE, SCOPE AND METHODOLOGY           4\n\n          RESULTS IN DETAIL                          5\n\n          APPENDIX\n\n               A. NCUA Management Comments           11\n\n\n\n\n                        SENSITIVE BUT UNCLASSIFIED\n                                     i\n\x0cSecurity of the NCUA Data Center\nOIG-13-08\n\n\nExecutive Summary\n\nWe conducted an audit to determine whether NCUA has adequate controls in place to\nprotect computer systems and data in the           data center (data center) and in\nthe                                                computer rooms (computer\nrooms).\n\nTo accomplish this audit, we conducted fieldwork at NCUA\xe2\x80\x99s\n                   , the disaster recovery data center in                  ,\n                                                                   . We interviewed\nmanagement and staff from the NCUA Office of the Chief Information Officer (OCIO);\nDivision of Procurement and Facilities Management (DPFM); and AMAC. We reviewed\nNCUA documentation pertaining to the security of NCUA applications and data. We\nalso reviewed National Institutes of Standards and Technology policy and procedure\npublications.\n\nWe determined that overall the NCUA has controls in place to protect the computer\nsystems and data hosted in its data center and in its computer rooms. However, NCUA\ncould make improvements to more adequately control or monitor access to the data\ncenter\xe2\x80\x99s server room and control access to the computer rooms: Specifically, NCUA\nneeds to:\n\n    -                                                                    ;\n\n    -                                                                            ;\n\n    -\n\n    -                                                                        .\n\nWe made four recommendations where NCUA could make improvements to better\nprotect access to its mission critical applications and data. NCUA agreed with all our\nrecommendations. NCUA also indicated that in addition to OCIO and AMAC working\ntogether to address the security issues, the Office of the Chief Financial Officer will\nhelp address recommendations 1 , 2, and 4. We have included NCUA\xe2\x80\x99s comments in\ntheir entirety at Appendix A. We appreciate the courtesies and cooperation NCUA\nmanagement and staff provided to us during this audit.\n\n\n\n\n                                   SENSITIVE BUT UNCLASSIFIED\n                                                1\n\x0cSecurity of the NCUA Data Center\nOIG-13-08\n\n\nBackground\n\nInformation Technology (IT) operations are a crucial aspect of most organizational\noperations, and agencies rely on their information systems for their operations. One of\nthe main concerns is business continuity. If a system becomes unavailable, agency\noperations may be impaired or stopped completely. It is necessary to provide a reliable\nand secure infrastructure for IT operations, in order to minimize any chance of\ndisruption.\n\nData centers run organizations. The role of a data center includes generating revenue,\nstoring sensitive data, and providing business-critical services. Because of their\ncriticality and value, they are targets. A data center has to offer a secure environment,\nwhich minimizes the chances of a security breach. Therefore, a data center must keep\nhigh standards for assuring the integrity and functionality of its hosted computer\nenvironment. A secure environment that minimizes the chance of a security breach and\nunauthorized access to an agency\xe2\x80\x99s information systems would help protect sensitive\ndata and mitigate intentional disruption of business-critical services.\n\nWhile threats to an agency\xe2\x80\x99s computer systems and data can come from insiders or\noutsiders, insiders have a significant advantage over others who might want to harm the\nagency. Agencies implement security mechanisms such as electronic building access\nsystems primarily to defend against external threats. However, insiders are not only\naware of their organization\xe2\x80\x99s policies, procedures, and technology, but they are often\nalso aware of their vulnerabilities.\n\nNCUA hosts the following systems that are critical to NCUA\xe2\x80\x99s mission:\n\n    \xef\x82\xb7   GSS (General Support System): Provides agency-wide network and computing\n        infrastructure and is the computing platform for all major NCUA business\n        applications.\n\n    \xef\x82\xb7   AIRES (Automated Integrated Regulatory Examination System): Enables NCUA\n        and state examiners to review and validate financial data related to the\n        operations of federally insured credit unions (FICUs) and some state-chartered,\n        non-federally insured credit unions (NFICUs).\n\n    \xef\x82\xb7   ODCS (Call Reporting System): The primary means by which NCUA collects,\n        validates stores and reports financial and operational data for all FICUs and\n        some state-chartered NFICUs.\n\n    \xef\x82\xb7   IIS (Insurance Information System): Enables NCUA and member credit unions to\n        update, submit, track and manage credit union master information.\n\n\n\n                                   SENSITIVE BUT UNCLASSIFIED\n                                                2\n\x0cSecurity of the NCUA Data Center\nOIG-13-08\n\n\n    \xef\x82\xb7   ALMS (Asset Liquidation Management System): Provides the computing\n        platform for the accounting of credit unions involved in the process of liquidation\n        and all major business applications of AMAC.\n\n\n\n\n                                   SENSITIVE BUT UNCLASSIFIED\n                                                3\n\x0cSecurity of the NCUA Data Center\nOIG-13-08\n\n\nObjective, Scope and Methodology\n\nThe objective of this audit was to determine whether NCUA has adequate controls in\nplace to protect computer systems and data in the             data center and in the\n                                            computer rooms.\n\nTo accomplish this audit, we conducted fieldwork at NCUA\xe2\x80\x99s\n                   , the disaster recovery center in                  , and the\n                                                            . We interviewed\nmanagement and staff from the NCUA Office of the Chief Information Officer (OCIO);\nDivision of Procurement and Facilities Management (DPFM); and AMAC. We reviewed\nNCUA documentation pertaining to the security of NCUA applications and data. We\nalso reviewed National Institutes of Standards and Technology policy and procedure\npublications.\n\nWe conducted this review from April 2013 through August 2013 in accordance with\ngenerally accepted government auditing standards and included such tests of internal\ncontrols as we considered necessary under the circumstances. Those standards\nrequire that we plan and perform the audit to obtain sufficient, appropriate evidence to\nprovide a reasonable basis for our findings and conclusions based on our audit\nobjectives. We believe that the evidence obtained provides a reasonable basis for our\nfindings and conclusions based on our audit objective. During this audit, we used\n                                                                               1\naccess authorization lists and access history logs generated from the            system.\nWe did not test the automated internal controls of this system. We relied on interviews\nand what we learned about the operation of and NCUA\xe2\x80\x99s manual controls associated\nwith this system.\n\n\n\n\n1\n       operates and manages security systems for its clients.\n\n                                   SENSITIVE BUT UNCLASSIFIED\n                                                4\n\x0cSecurity of the NCUA Data Center\nOIG-13-08\n\n\nResults in Detail\n\nWe determined that overall the NCUA has controls in place to protect the computer\nsystems and data hosted in its              data center (data center) and\ncomputer rooms (computer rooms). However, the NCUA could make improvements to\nmore adequately control or monitor access to the data center and control access to the\ncomputer rooms: Specifically, NCUA needs to:\n\n    -                                                                           ;\n\n    -                                                                                   ;\n\n    -   Log visitor access to the data center; and\n\n    -                                                                               .\n\nNCUA Data Center Structure and Access\n\nThe following rooms comprise the              data center:\n\n    \xef\x82\xb7           Systems Office \xe2\x80\x93 an administrative office area;\n\n    \xef\x82\xb7   Server room - houses the servers hosting             applications and data;\n\n    \xef\x82\xb7   Development lab -                                                                   ;\n\n    \xef\x82\xb7   File room -                                                     ; and\n\n    \xef\x82\xb7   Storage room -                            .\n\n\n\n\n                                   SENSITIVE BUT UNCLASSIFIED\n                                                5\n\x0c\x0c\x0cSecurity of the NCUA Data Center\nOIG-13-08\n\n\n\n                                                  .\n\nWe recognize that the data center has a layer of physical security\n                                                         . However, this configuration is\nunconventional from a security control perspective in that\n\n\n        . Consequently, this configuration presents a peculiar and unnecessary point of\nweakness within the data center\xe2\x80\x99s layered security that could potentially facilitate\nunauthorized access into the server room. This could allow access to the servers\ncontaining NCUA applications and data and disruption of NCUA operations.\n\nRecommendation 2:\n\n                                      .\n\n\nManagement Response:\n\nWe agree\n                                    . OCIO is already scheduled to meet with the\nData Center Manager and will develop a plan                               by\nDecember 2014.\n\nOIG Response:\n\nWe concur with management\xe2\x80\x99s planned actions.\n\n\nNCUA Needs to Improve Visitor Access Control to the Data Center\n\nNCUA has not consistently logged visitor access to the data center. In addition,\nNCUA\xe2\x80\x99s security policy for logging visitors into the data center is inconsistent with the\nmethod we observed NCUA has used for logging visitors.\n\nOCIO keeps its visitor sign-in log\n      . However, there is evidence that OCIO does not consistently use the log.\nSpecifically, we reviewed the log and determined it included entries from June 2005\nthrough May 2013:\n\n    \xef\x82\xb7   There are 119 entries between September 2005 and October 2010 - an average\n        of approximately two visits per month;\n\n\n\n                                   SENSITIVE BUT UNCLASSIFIED\n                                                8\n\x0cSecurity of the NCUA Data Center\nOIG-13-08\n\n\n    \xef\x82\xb7    There are 14 entries between January 2011 and November 2012 - approximately\n         only one visit every two months;\n\n    \xef\x82\xb7    There was no entry on September 19, 2012 when contractors visited the data\n         center as part of the 2012 FISMA review;4\n\n    \xef\x82\xb7    The OIG visit on May 17, 2013 - for a tour of the data center as part of this audit -\n         was the first entry in the log since November 2012.\n\nIn addition, OCIO management and staff were not aware of the active use of a visitor\nlog - they did not object to a finding during the 2012 FISMA review that indicated \xe2\x80\x9cNCUA\ndoes not maintain a log at the entrance of the data center to record data center visitors.\xe2\x80\x9d\n\nFurthermore, NCUA changed its security policy to reflect its intended new visitor logging\nprocedure as follows: \xe2\x80\x9cThe Data Center Manager is responsible for ensuring that\nphysical access to the Data Center is logged into the System\xe2\x80\x99s Division Calendar\nlocated in SharePoint.\xe2\x80\x9d However, the Director, Division of IT Operations, who has\noverall responsibility for the data center indicated OCIO does not use SharePoint for\nlogging visitors into the data center.\n\nWithout adequate logging of visitors, an accurate audit trail would be more difficult to\nreconstruct in the event of an incident within the data center.\n\n\nRecommendation 3: We recommend NCUA review, document, and implement current\npolicy and procedures for logging visitor access to the data center.\n\n\nManagement Response:\n\nWe agree and will have OCIO work with the Data Center Manager to ensure\ncompliance effective immediately.\n\n\nOIG Response:\n\nWe concur with management\xe2\x80\x99s planned actions.\n\n\n\n\n4\n  We did not pursue whether or not there were other visitors to the data center during the period covered by the\nvisitor\xe2\x80\x99s log that OCIO staff should have logged.\n\n                                    SENSITIVE BUT UNCLASSIFIED\n                                                 9\n\x0cSecurity of the NCUA Data Center\nOIG-13-08\n\n\nNCUA Needs to Improve Security of                 Computer Rooms\n\nThe physical structures of the two computer rooms could allow for unauthorized access\nto the servers containing AMAC applications and data.\n\n\n\n\n          .\n\n\n\n\n                                                                            .\nConsequently, a determined individual could gain access to the AMAC servers and\ndisrupt AMAC operations.\n\nRecommendation 4:\n\n                    .\n\n\nManagement Response:\n\nWe agree that                                                       . OCIO met\nwith AMAC to discuss the Data Center in late July. OCIO and AMAC will work\ntogether                                     installed by December 2014.\n\n\nOIG Response:\n\nWe concur with management\xe2\x80\x99s planned actions.\n\n\n\n\n                                   SENSITIVE BUT UNCLASSIFIED\n                                               10\n\x0cSecurity of the NCUA Data Center\nOIG-13-08\n\n\nAppendix A - NCUA Management Comments\n\n\n\n\n                                   SENSITIVE BUT UNCLASSIFIED\n                                               11\n\x0cSecurity of the NCUA Data Center\nOIG-13-08\n\n\n\n\n                                   SENSITIVE BUT UNCLASSIFIED\n                                               12\n\x0c'